Managing Risks: A New Framework

Anette Mikes Harvard Business School IRM, Manchester, 25 April 2012

Copyright President & Fellows of Harvard College

A Case Study in Risk Management

Risk Management is Non-Intuitive

JPL engineers graduate from top schools at the top of their class. They are used to being right in their design and engineering decisions. I have to get them comfortable thinking about all the things that can go wrong.
- Gentry Lee, Chief Systems Engineer, NASA JPL

Risk Management and the Financial Crisis

Conflicting pressures?
Faster, better, cheaper

Growth, profit, control

The cultural position of the risk function Companies that failed had relegated risk management to a compliance function, with no access to top management.

HBOS had "a cultural indisposition to challenge" and that the task of "being a risk and compliance manager felt a bit like being a man in a rowing boat trying to slow down an oil tanker.
UK Treasury Committee (7th report); Paul Moore

Do complex organizations fail inevitably?

BP Deepwater Horizon: Post Mortem

The disaster can be attributed to

an organizational culture and incentives that encourage cost cutting and cutting of corners that reward workers for doing it faster and cheaper, but not better. Management failure crippled the ability of individuals involved to identify the risks they faced, and to properly evaluate, communicate, and address them.
-The National Commissions Report to the President

Individual and Organizational Biases

Risk mitigation is painful; not a natural event for humans to perform.

Gentry Lee Chief Systems Engineer,
NASA, JPL

Individual and Organizational Biases

Individual biases:
Overconfidence
Tendency to anchor our estimates Confirmation bias Escalation of commitment

Risk mitigation is painful; not a natural event for humans to perform.

Gentry Lee Chief Systems Engineer,
NASA, JPL

Organizational biases:
Groupthink

Rather than mitigating risk, firms incubate risk through the normalization of deviance

Effective risk-management processes must counteract those biases

Whats distinctive about risk management?

A practice-based definition (Kaplan & Mikes, HBR forthcoming):
Active and intrusive processes that
are capable of challenging existing assumptions about the world within and outside the organization ... communicate risk information with the use of distinct tools (risk maps, value-at-risk models, stress tests etc.) complement, but do not displace, existing management control practices
10

Different Types of Risk Management

Risk management is too often treated as a compliance issue

New categorization of risk

Some risks can be managed through a traditional rules-based model and some require alternative approaches

Companies need to anchor risk discussions in their strategy formulation and implementation processes.

11

Different Types of Risk

12

Category I: Preventable Risks

Risks arising from within the company that generate no strategic benefits
Eg: risks from employees and managers unauthorized, illegal, unethical, incorrect, or inappropriate actions; risks from breakdowns in routine operational processes

Companies should seek to eliminate these risks

Active prevention: monitoring operational processes and guiding peoples behaviors and decisions toward desired norms

13

Category II: Strategy Risks

Risks voluntarily accepted by the company in order to generate superior returns from its strategy
Eg: credit risk assumed by a bank when it lends money; risks taken on by companies through their R&D activities

Not inherently undesirable

Reduce the probability that the assumed risks materialize and improve the companys ability to contain the risk events should they occur

14

Category III: External Risks

Risks arising from events outside the company and beyond its influence or control.
Eg: natural and political disasters; major macroeconomic shifts

Companies cannot prevent such events from occurring

Management must focus on identification (obvious only in hindsight) and mitigation of their impact

15

Managing Preventable Risks

16

Failures in Controlling Preventable risks

Siemens Bribery and Corruption Scandal

o Pay $1.6 billion in fines and $850 million for internal investigations by outside lawyers and accountants.
o Nine former members of Managing Board sued for $28.3 million for breaching fiduciary duties o Two former CEOs agree to pay more than $10 million to settle cases brought against them.

Socit Gnrale: The Jrme Kerviel Affair

o Losses of about 7 billion (2007). o Socit Gnrale has to raise 5.5 billion in new capital.

Situational forces: The fraud triangle

18

Situational forces - How good people turn bad

Organizational pressure Group pressure and the Lure of the Inner Circle Blind obedience to authority Not recognizing red flags and an exit opportunity

19

What individuals can do - Step up to situational forces

Stand firm on principle despite intense pressures I am responsible Whistle blowers: individuals who are aware of illegal or unethical activities who report the activities without expectation of reward

Heroes risks:
Career risk Professional ostracism

Loss of status
Financial loss Loss of credibility

20

What corporate leaders can do

Companies cannot anticipate every circumstance or conflict of interest that an employee might encounter, but should clearly articulate their
Mission Values

Boundaries

Top managers must serve as role models

Importance of strong internal control systems and independent internal audit department

21

The Mission

Medicine is for people, not for profits. The profits follow, and if we have remembered that, they have never failed to appear. - George Merck, CEO and founders son (1950).

Boundary Systems

Opportunity Space

Boundary System

Domain for Search and Empowerment

Beliefs System

Managing Strategy Risks

24

Building great things means taking risks.

This can be scary and prevents most companies from doing the bold things they should. However, in a world thats changing so quickly, youre guaranteed to fail if you dont take any risks. We have another saying: The riskiest thing is to take no risks.
- Facebook IPO prospectus
25

 3 distinct approaches to managing strategy risks

One size does not fit all In terms of the structures and roles for the risk management function

However, all encourage employees to challenge existing assumptions and debate risk information

26

27

I. Independent Experts
High intrinsic risk, but risk changes slowly over time

Risk management handled at the project level

Case: Risk management at JPL

CRO Risk review board made up of independent technical experts
Role is to challenge project engineers design, risk-assessment, and risk-mitigation decisions (culture of intellectual confrontation )

Authority over budgets: establishes cost and time reserves according to its degree

of risk

28

29

30

31

II. Facilitators
Risk stems largely from seemingly unrelated operational choices across a complex organization that accumulate gradually and can remain hidden for a long time Risk management by a small central risk-management group that collects information from operating managers Hydro One
CRO runs workshops with employees from all levels and functions

Employees identify and rank the principal risks to the strategic objectives
Capital allocation and budgeting decisions linked to identified risks

32

33

III. Embedded Experts

Risk profile can change dramatically with a single deal or major market movement Risk management by embedded experts within the organization to continuously monitor and influence the businesss risk profile, working with line managers Danger for the embedded risk managers to go native JP Morgan Private Bank
Report to both line executives and a centralized risk-management function Continually ask what if questions

34

Avoiding the Function Trap

Companies tend to label and compartmentalize risk, especially along business function lines

Companies can achieve an integrated risk perspective by anchoring their discussions in strategic planning

Companies also need a risk oversight structure

35

Infosys

As we asked ourselves about what risks we should be looking at, we gradually zeroed in on risks to business objectives specified in our corporate scorecard.
MD Raganath, CRO, Infosys

Risk discussions generated from the Balanced Scorecard

Eg: growing client relationships identified as a key objective,

Management realized that strategy had introduced a new risk factor: client default.
Implication: monitor CDS rates of large clients etc....

36

Volkswagen do Brasil
Risk discussions generated from the companys strategy map
Risk events identified for each objective Risk Event Card prepared for each risk High-level summary of results presented to senior management

37

Volkswagen do Brasil: Risk Event Card

38

Volkswagen do Brasil: Risk Report Card

39

Organizing the risk function

Hydro One:
Large company, but small risk group

JPL / JP Morgan Private Bank:

Small companies/units, but multiple project-level review boards or teams of embedded risk managers

Infosys:
Dual structure: central risk team; specialized functional teams

40

Managing External Risks

41

 Some external risk events sufficiently imminent for managers to manage them like their strategy risks
Eg: risk of increased protectionism at Infosys

Most external risk events require a different analytic approach

Probability of occurrence very low Difficult to envision them during the normal strategy processes

42

Sources of External Risk

Natural and economic disasters with immediate impact
Eg: 2010 Icelandic volcano eruption; bursting of a major asset price bubble; 2011 Japanese earthquake and tsunami

Geopolitical and environmental changes with long-term impact

Eg: political shifts; long-term environmental changes; depletion of critical natural resources

Competitive risks with medium-term impact

Eg: emergence of disruptive technologies; radical strategic moves by industry players

43

Dealing With External Risks

Tail-risk stress tests
Assess major changes in one or two specific variables whose effects would be major and immediate, although the exact timing is not forecastable
Depends critically on the assumptions (may themselves be biased)

Scenario planning
Systematic process for defining the plausible boundaries of future states of the world Long-range analysis (typically 5-10 year)

War-gaming
Assesses a firms vulnerability to disruptive technologies or changes in competitors strategies

44

Wrap-up

45

Risk Management is Not Strategy Management

Risk management focuses on uncertainties that could impair mission and strategic objectives

Mitigating risk involves dispersing resources and diversifying investments

Most companies need a separate function to handle strategy- and externalrisk management

46

Smart questions or dumb questions?

Do you have an embedded risk management system?

Do you have a strong risk culture?

Do you have a risk appetite policy that is well understood by every member of the organization?

47

Dumb questions
Lack traction, and is relatively easy for a CEO or CRO to answer and deflect without revealing much of substance

Invite busy executives to rehearse risk management clichs

The answers to banks of dumb questions are more likely to be self- reinforcing and reveal little about the real risk management.

They will tend to produce an illusion of control.

Power, M., Smart and Dumb Questions to Ask About Risk Management. Risk Watch, May 2011
48

Smart questions to the CEO

What are the processes by which you satisfy yourself that risk appetite is a real constraint on action? Is the organization good at stopping bad projects that have gained momentum?

When was the last time something was stopped in the organization because it was considered too risky?
How do you feel about meetings with the chief risk officer? Do you feel you talk to your chief risk officer enough? What are the three most important bits of management information that you use each day? What do they tell you, if anything, about risk?

Power, M., Smart and Dumb Questions to Ask About Risk Management. Risk Watch, May 2011
49

Smart questions to the CRO

Have you ever been excluded from meetings that you felt you ought to attend? What did you do about it?

Do you feel you have enough contact with the CEO?

Can you envisage being able to veto developments? Did you ever try, and why?

Are you involved in product development from the beginning? If not, why not?

Power, M., Smart and Dumb Questions to Ask About Risk Management. Risk Watch, May 2011
50

Its an evolution: Risk managers shape their own fate too!

Taking responsibility or shifting blame

Competing with other staff groups

Expanding or limiting boundaries

Working on the relationship with the business

51

Thank you!

Copyright President & Fellows of Harvard College